Hackers have begun reconstructing Darkode less than two weeks after coordinated worldwide raids took it down
Darkode, a prominent hacker forum, has reappeared online less than two weeks after “the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum” took it down, with a number of members arrested.
That action, coordinated by a number of law enforcement agencies around the world, didn’t result in the arrest of the forum’s principal administrator, known as “Sp3cial1st”, who on Monday reportedly began publicising the new site, darkode.cc, via his Jabber status message.
For now, however, the site bears only a message explaining how the next iteration of Darkode is intended to work.
The previous version of the forum, Darkode.me, was taken down on 14 July in a coordinated action that involved the FBI, Europol, the US Department of Justice and the UK’s National Crime Agency (NCA), as well as more than a dozen national law enforcement bodies.
The action resulted in the arrest of 28 people, bringing the total arrests related to Darkode around the world to 70 in 20 countries, officials said. The site was used by hackers to buy and sell malicious code toolkits and other malware and to exchange information, according to officials.
The NCA said five men have so far been arrested in the UK on Darkover-related charges between November 2013 and March 2015.
“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said David Hickton, US Attorney Attorney for the Western District of Pennsylvania, at the time of the arrests.
The action involved law enforcement bodies in countries including Australia, Bosnia and Herzegovina, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia and Sweden, with arrests in countries including the US, the UK, Sweden and Pakistan.
However, only two of those arrested were active on the forum in the past several years, according to the UK security researcher who writes the MalwareTech blog.
“The FBI might have just grouped together a list of known criminals who were also on Darkode, rather than targeting the forum itself,” he wrote. A message on the new site confirmed that “most of the staff is intact, along with senior members”.
The site’s administrator gave some details on plans for securing the new forum, including the use of the Tor anonymisation network to conceal the location of the site itself as well as to protect the identity of each individual user.
New security measures
“Not only will Darkode now operate from a Tor hidden service, but each user will be given their own onion address to the forum, which is admittedly quite a clever idea,” wrote MalwareTech. “Firstly it would allow the Darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner’s onion url; it would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers.”
Users are to be admitted by invitation only and are to be authenticated using the blockchain interface more commonly associated with Bitcoin wallets, according to the message – techniques intended to make it more difficult for hacked accounts to be used to effect a compromise.
The hackers using the new Darkode should exercise caution in order to avoid entanglement with law enforcement, according to the message.
“Assume anyone you have dealt with that was added to darkode in the last six to eight months may have turned informant and act accordingly,” it said.
Security breaches had been a concern for Darkode even before the most recent raids, according to the MalwareTech researcher.
“The Darkode administrators were compromised at one point after one of them had reused his password on another forum, which had its database leaked a few weeks prior,” he wrote.
Are you a security pro? Try our quiz!